The most significant difference between Exchange 5.5 and 2000 is the way
they handle directory information. (Directory information is a combination
of not just a list of all your users and their information, but also all
servers, connectors, etc… and where they are in your organization. Exchange
5.5 had its own Directory Service, as we had talked about earlier, but
Exchange 2000 relies on Windows 2000’s Active Directory directory service.
So grouping users for sending messages will now have to change because in
Exchange 5.5 you had Distribution Lists, but in Windows 2000, users are
grouped as Universal, Global, or Domain Local Groups. Windows 2000 also
separates these three groups into two subtypes called “Distribution Groups”
and “Security Groups.”

Each one (Universal, Global, or Domain Local) can be a security group or
a distribution group and there are different reasons why you would pick one
over the other. As you should already know from Windows 2000, a Domain Local
Group can have members from any domain and access resources only in the
domain it was created in. Global Groups can contain users from the domain it
was created in, but access resources in any Domain. Universal Groups contain
users from any domain and can access resources in any domain. What’s the
difference between Distribution Groups and Security? I thought you’d never
ask. Security Groups are used to assign permissions to objects in your
Forest, however they can be mail-enabled, so they really serve two purposes.
Distribution Groups, on the other hand, are used strictly for email.

When you move distribution list from Exchange 5.5 to Active Directory,
membership gets mapped to a Universal Distribution Group by default.
Why wouldn’t Microsoft move a distribution list to a security group you may
ask? After all, security groups can be mail-enabled, so you would just be
increasing the functionality. Well, it has to do with the way that
corporations usually use distribution lists and security groups, as
well as the performance differences between the two. Think about it for a
second, when you create a distribution list in Outlook or in Exchange, what
is your purpose? True, you may use it for securing access to public folders,
but most of the time they are used for sending email messages to multiple
entities. OK. You may say, “That doesn’t answer my question. I could still
use a security group and extend my functionality.” The real problem is in
performance. Microsoft has a white paper that explains this very well. Here,
I’ll paraphrase: Whenever you log on to Active Directory, you receive a
Security Token (List of your permissions) from a domain controller. That
token is passed to the global catalog server which matches the user to any
Universal security groups. If you are a member of any of them, the
token reflects that you are. Hence, the more Universal Security
groups that you have on your network, the worse that performance will
actually be for the global catalog server.

Now that you understand how distribution lists are migrated, let’s look
at how we move them. This is done using a utility called the Active
Directory Connector, or ADC. The ADC converts all distribution lists to
universal distribution groups in Windows 2000. But then the problems start,
if you are not careful. You see public folders in Exchange 2000 act just
like folders in your file system. You can essentially assign permissions to
them just as you would any NTFS folder. Now, think about that for a second.
If permissions are assigned based upon users and security groups,
what happens to all of your permissions for your new distribution groups?
After all, distribution groups do not have security principles, SID’s
associated with them. Well, STORE.EXE comes along to help out. If one of the
following four things is true, then the distribution group will become a
security group:

Public folders in Exchange 5.5 have distribution lists in the ACL and
the hierarchy is replicated to a public store on an Exchange 2000 server.

The universal distribution group is part of the ACL on a public folder
that is being replicated between Exchange 5.5 and Exchange 2000.

Distribution lists are being used in ACL’s on Exchange 5.5 public
folders, and the server is now being upgraded in-place to Exchange 2000.

An Outlook user whose mailbox is on an Exchange 2000 server adds a
universal distribution group to the ACL on a public folder.

Be sure to have a domain in Native mode if any of these are true, because
the process will fail otherwise because STORE.EXE will not be able to create
the Security Groups in AD. If you need to give access to Exchange 2000
public folders, use as few universal groups as possible and leverage the
functionality of global and domain local groups to lighten he load on the
Global Catalog Servers. For email distribution, use universal distribution
groups, because they have no security principal, therefore they will not tax
the global catalog by mapping themselves to the user’s security token.

Upgrading the Databases

Before you begin your upgrade process, be sure to have the latest service
pack for Exchange Server. Then, be sure Windows 2000 and DNS are properly
configured on your network. BACK UP YOUR EXCHANGE DATABASES!!!! This can
never be emphasized too much. If you do not properly back up your
databases, you can experience something that you never want t, loss of Data.
Please do this. If you are intending on setting up Exchange 5.5 on a Windows
2000 server, you should know what additional Exchange components will be
affected by the upgrade.

The actual process of upgrading your Exchange 5.5 Databases to 2000 is
actually very fast. Microsoft touts that Exchange databases can be upgraded
as quickly as 30 GB per hour. You should use this factor to plan how long
the actual upgrade process will take on your system so that you can choose
an appropriate time to do it. Microsoft suggests 30 minutes for prep time
and whatever the size of your DB is factored into 30GBPH transfer time. For
example, if you have a 15 GB Information Store, you should have your system
upgraded in one hour from the time you sit down and take out your Exchange
2000 CD.

If you have multiple connectors to foreign mail systems, you should see
how they will be impacted as well. For example, do you have and EDK-based
connectors, or are you only connecting to mail systems that Exchange 2000
currently supports, like Lotus Notes, cc: Mail, GroupWise, or Microsoft
Mail. If the Server is a mailbox server, (It hosts email for your clients)
you could either upgrade it in place or move the mailboxes after the
connection is made. If it is a public folder server, the same applies as for
a mailbox server. As far as connector servers are concerned; once your ADC
is in place, either system can replicate changes after synchronization has
occurred between the foreign system and Exchange 5.5, so feel free to test
Exchange 2000 connectors with little fear of how it will affect your
existing system. If you have a small number of servers in a single site,
don’t be too concerned, you can upgrade them without many difficulties.

Exchange 2000 Preparation

So let’s do it. Active Directory should be set up at this point and you
should have an existing Exchange 5.5 Server somewhere. The first step is to
run ForestPrep. Type “d:.exe /ForestPrep” where “D:” is your CD Rom
drive. Enter all of your information until you get to a screen like the one
shown below:

Exchange 2000 Setup with ForestPrep switch enabled

The next step prompts you to either join an existing Exchange 5.5
Organization or create a new Exchange 2000 organization. Select Join an
existing Exchange 5.5 organization. Next setup will prompt you to enter the
name of a server in the 5.5 organization. Enter one and click next.

Run DomainPrep

As with ForestPrep, DomainPrep only needs to be run once per domain. But
as with ForestPrep, you need to run it once to prepare every other domain.
For example, if you have five Active Directory domains, you will need to run
ForestPrep once and DomainPrep five times. The command line to execute
DomainPrep is “d:.exe /DomainPrep” where
“D:” is your CD Rom drive. After this step is complete, you can go ahead and
start upgrading the Exchange 5.5 Servers. Finish the other
options and then it’s time to install the Active Directory Connector.

What is the Active Directory Connector?

The Active Directory Connector, or ADC, is used for one purpose, to
synchronize Exchange 5.5 Directory information with Active Directory. So, if
you do not have Exchange 5.5 anywhere in you organization, YOU DO NOT NEED
THIS UTILITY. It comes as an additional item on the Windows 2000 server CD
ROM, but a more extensive version is available on the Exchange 2000 server
CD.

Install the Active Directory Connector

Before we start, there are some things that you need to do to get the ADC
installed. First is security. You must be a member of the Domain Admins,
Enterprise Admins, and Schema Admins security groups. At that point it would
be best if we could do this on a Domain Controller, preferably a Global
Catalog server, for performance reasons if you have multiple domains. Don’t
forget, if you have multiple domains, you must run the ADC setup once per
domain.

Place the Exchange 2000 CD in the drive, switch to the ADC folder and run
Setup.exe. The Active Directory Connector setup wizard will ask you for the
Exchange 5.5 Service account and password, so have this information ready.
Setup will modify the Windows 2000 Schema to allow Exchange 5.5’s Directory
Service to populate it with user information. (Note: Schema
information for Active Directory only needs to be updated once for the ADC.)

Configuring the Active Directory Connector

Now the ADC should be installed. It’s time to configure it. You must
create connection agreements to allow the information to replicate from
AD and Exchange 5.5. A new MMC will show up when you go into Administrative
tools called the “Active Directory Connector”. In the Active Directory
Connector Manager screen, shown below,
Right-click the icon representing the ADC on your server. Click New,
and then click Recipient Connection Agreement. This creates a
Connection Agreement that allows the ADC to transfer recipient information
between Active Directory and Exchange 5.5.

Creating a new Connection Agreement

Once you create the ADC, there will be options on what type of
replication that you would want to perform. If you select either Two-way
or From Windows to Exchange, Active Directory will need permission to
update the Exchange 5.5 Directory Service.

If you have multiple Exchange 5.5 sites, or Windows 2000 domains, the
process will become much more complex because each Exchange 5.5 site keeps
track of updating its own directory information and each Windows 2000 domain
keeps track of certain domain-specific information.

Running the Upgrade

At this point, your Forest, Domain, and Exchange 5.5 Directory
information should all be ready for you to begin the last step. Insert the
Exchange 2000 CD into the CD ROM of an existing Exchange 5.5 server that is
running Windows 2000 with Service Pack 1 and Exchange 5.5 Service pack 3.
Follow the steps like you would for any normal installation, except you will
select Upgrade instead of Install. The only other thing that
you need is the existing Exchange 5.5 Service Account password. The Exchange
databases are not upgraded until everything else has been completed. This is
to ensure that if the installation fails, your Exchange 5.5 databases will
not be affected.

Is it running?

If you want to check to see if the installation worked successfully, go
to the Services in Administrative tools and check to see if all of the
Exchange 2000 services that are set to automatically start up have started.
If you ever install a service pack or do any adjustments to the
installation, check the services. Also, it is helpful to look to the Event
Viewer to see if there are any errors. Exchange 2000 does not require a
reboot of your system after you install it, but it might be a good idea to
do so, just to check Event log errors that may occur during a reboot. The
last thing that you can look to is the “Exchange Server Setup
Progress.log” file. This file is located in the root of the c: and
contains detailed information about what occurred, or didn’t occur during
installation. Check the Start Menu. You should see a new program group
called Microsoft Exchange. Within that group, you should find the
Active Directory Cleanup Wizard, Active Directory Users and
Computers, Migration Wizard, and the System Manager. These are
the main utilities that you use to manage Exchange and will be discussed
more in depth in the Administrative Interface section of the review.

Here’s a little side treat. If you re-run setup for any reason, be it for
reinstallation or to add/remove components, the following will show up in
the “Exchange Server Setup Progress.log” file. But who’s Cartman???